INTRODUCTION

This data protection policy describes how data will be collected, handled and stored to meet Hattrick Advisory Services Ltd (“HAS”) data protection standards and to comply with the relevant legislation. 

SCOPE

This Data Protection Policy (the “Policy”) applies to the HAS website (the “Website”) located at (www.hattrickadvisoryservices.com ), and which is administered by HAS. This policy is designed to help you understand how the website collects, uses, and shares your information, and what  choices are available to you in regard to the same. 

Note: Visiting the HAS website will be deemed as an acceptance of the terms and conditions of this data protection policy.

DEFINITION OF TERMS

For purposes of this policy “we” and “our” refers to HAS and /or their assignees, together and interchangeably as the case may be.

Hattrick – means the business or organization registered and domiciled Kenya as Private Company.

The Website – the digital platform containing information about HAS and related data. 

Consent – “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.” GDPR Definition

Cookies – Small files which are stored on your internet browser by websites. These files are used to store information about visitors to websites. 

Data –  all information that is collected, stored and shared about and by HAS website visitors, registered users, staff & team, communities, projects and people HAS works with. This include and are not limited to email address, telephone numbers, location addresses, etc. 

Data Breach – A data breach is a security incident in which an unauthorized individual or entity gains access to sensitive, confidential, or protected information, held by an organization or entity.

Data integrity – The reliability and trustworthiness of data through its lifecycle.” (Egnyte)

Data subject –  A natural person or entity whose personal data is subject to processing and consumption.

End-to-end encryption – Process and action of ensuring that a message is turned into a secret message by its original sender and decoded only by its final recipient.”

HTTPS – an encrypted communication method that allows information to move securely and privately on the internet between users and websites. 

Metadata – This is secondary data that provides a description of the actual data.

Personal data – Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” GDPR Definition

Public data – Data that is made publicly available to visitors and users of our website.

Processing – Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” GDPR Definition

Registered user – An organization or individual that visits the HAS website and /or creates, retains and manages a profile on the HAS website.

 

Responsible data –  A concept that refers to our collective duty to prioritize and respond to the ethical, legal, social and privacy-related challenges that come from using data. The term encompasses a variety of issues which are sometimes thought about separately, like data privacy and data protection, or ethical challenges” (Responsible Data website). 

Third Party – A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.” GDPR definition

Website visitor – An individual who visits the HAS website. 

Server – A computer program or device that provides a service to another computer program and its user, also known as the ‘client’.

 

PRINCIPLES

The HAS team, and representatives are expected to adhere to the responsible processing of all data on the platform. This includes securing devices, limiting access to the website online services, and following established data privacy protocols. In the event of a data privacy incident or breach, HAS and its representatives must document and notify the designated authority. The designated authority will then ensure that the incident is addressed and that procedures are in place to ensure that the incident can be resolved and mitigated in the future.

This policy is guided by six principles requiring that data be:

1. Processed lawfully, fairly and in a transparent manner.
2. Collected for specified, explicit and legitimate purpose.
3. Adequate, relevant and limited to what is necessary.
4. Accurate and where necessary, kept up to date.
5. Retained only for as long as necessary.
6. Processed in an appropriate manner to maintain security.

RIGHTS OF DATA SUBJECTS

Any individual/organization on the platform has a right to access and request correction to information, or request that information be deleted. In some circumstances it may not be possible for HAS to provide the individual/organization with all of their personal information for example in cases where a legal exemption may apply. An example may be if personal information is subject to attorney-client privilege, or if HAS is involved in legal proceedings where disclosure of the information would jeopardize the outcome of the case, we may not be able to provide the individual/organization with all of their personal information.

In order to make a request to access data please refer to the contact information section at the bottom of this policy. 

To protect your privacy and security in the event of a request for access to your account, data and/or to make corrections to your information, HAS will take reasonable steps to verify your identity before granting you access or making changes to your data.

Below are definitions (based on the GDPR standards of the rights) of rights that data subjects have within this Data Protection Policy:

• Right to be informed: The right to obtain clear and concise information about what EPIC-Africa does with their personal data. 

• Right to access: The right to obtain a copy of their personal data, as well as other supplementary information. 

• Right to rectification: The right to have inaccurate personal data rectified. 

• Right to erasure: The right to ask that information be deleted completely from the platform. This can be done by sending a request to (email address TBC) 
• Right to restrict processing: The right to ask that HAS restricts the processing of personal data in the case that:
  • The individual contests the accuracy of their personal data and would like to verify the accuracy of that data.
  • The data has been unlawfully processed and the individual opposes erasure and requests restriction instead.
  • HAS no longer needs the personal data but the individual requests that it be held to establish or defend a legal claim.

• Right to data portability: The right to receive personal data provided in a structured, commonly used and machine-readable format. 
• Right to object: The right to request  to stop processing your data at any time. This will not apply to data that has already been processed. 
• Rights in relation to automated decision making and profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you. 

DATA COLLECTION DETAILS

The HAS website only collects information that is necessary to provide services to users.

Website visitors

The HAS website automatically tracks anonymous website visit metrics via Segment and Mixpanel. The information collected may include usage information, such as the number and frequency of users to the website, pages visited, web browsing histories, internet browser type, your location (optional). When gathered, this data is used in the aggregate, and not in a manner that is intended to identify you personally. 

HAS uses cookies, to administer content for visitors to the website. We do not use cookies to track individuals and identify them personally. Please refer to our cookies policy for details.

HAS collects the following data to better understand our visitors’ needs and provide better services:

• Browser ID so that HAS can understand the technology used to access the platform.
• Pages visited so that HAS can understand the topics and pages that are most of interest.
• Location: (optional) location information can be shared with us, so that HAS can better understand which geographical locations we are getting visitors from

Information collected from platform visitors will be used to:

• Personalize service provision on the website, such as auto-populating information from previous visits.
• Monitor and analyze the operation and effectiveness of the website and for the HAS team to see engagement statistics of pages and content on the website.

DATA BREACH PROCEDURES

Data breaches can be recognized in a variety of ways. Below is a non-exhaustive list of indicators of a potential data breach:

1. Unauthorized access to websites or online accounts
2. Suspicious activity on websites or online accounts
3. Detection of malware on devices or phishing attempts to online spaces
4. Unexpected transfers or downloads of protected information
5. Discovery of leaked information on the web or public forums
6. Unauthorized changes in online information
7. Notification from external parties about a security vulnerability
8. Reports of leaked or compromised information from external entities.

Data breaches can occur due to a combination of factors, mainly including targeted attacks by malicious actors and exploitation of security measures in place. 

In the event of a data breach on HAS webite, the following actions will be taken:

• Containment

In the case of a data breach, the IT Support and the HAS team are notified via (email address TBC) not later than 72 hours by the individual who discovered the data breach. Once the organization has discovered or suspected that a data breach has occurred, the IT support will immediately take action to limit and/or mitigate the breach. This may mean and /or include stopping the unauthorized practice, recovering the records, shutdown of the system under breach, or revoking or changing computer access privileges in order to address weaknesses in physical or electronic security.

• Assessment

Conducting an assessment will help HAS understand the risks involved in data breach and how to address them. The following points will be considered in this analysis:

• The type or types of personal information involved in the data breach.
• The circumstances of the data breach, including its cause and extent
• The nature of the harm to affected individuals, and if this harm can be removed through remedial action.

• Notification

If the data breach is likely to result in personal injury or harm to data subjects, the platform manager will communicate the data breach to all registered users and take mitigating measures as soon as possible. 

The notification will include:

1. A description of the nature of the data breach including, where possible, the approximate number of data subjects concerned, and the approximate number of data records concerned.
2. The contact details of the HAS team or other contact/s where more information can be obtained about the data breach.
3. An outline of the likely consequences and risks of the data breach.
4. A description of the measures taken or proposed to be taken by the HAS team to address the data breach, including measures to mitigate possible adverse effects.

• Review

Once the above steps are performed, HAS will do an in-depth analysis of what happened. 

This will involve:

• A security review, including a root cause analysis of the data breach.
• A prevention plan to prevent similar incidents in future.
• Audits to ensure the prevention plan is implemented.
• A review of policies and procedures, and subsequent changes that reflect lessons learned.
• Changes to employee selection and training practices.
• A review of service delivery partners that were involved in the breach.

DATA SHARING WITH THIRD PARTIES

HAS will ensure that personal data is not disclosed to unauthorized third parties. The HAS team will exercise caution when asked to disclose personal data held on a data subject to a third party. The team will consider whether disclosure of the information is relevant to, and necessary for, the conduct of platform objectives. Disclosure will only be to third parties that are authorized to receive it, and with whom there is data protection or confidentiality agreement in place.

Authorized third parties include, but are not limited to:

• External project consultants
• Business partners
• The IT support team

THIRD-PARTY WEBSITES

The HAS website contains links to websites and services provided by third parties. Any personally identifiable information you provide on third party sites or services is provided directly to that third party and is subject to that third party’s policies. HAS is not responsible for the content or privacy and security practices and policies of third-party sites or services to which links are displayed on this website. We encourage you to learn about third parties’ privacy and security policies before providing them with personally identifiable information.

LEGISLATION

Currently, the data for the HAS website is stored by our Hosting Services Provider and is therefore subject to the General Data Protection Regulation within the EU.

HAS also wants to ensure that this policy adheres to relevant regional data policy frameworks particularly for issues about data handling, storage of data and movement of data across borders in the region. The African Union Data Policy Framework also provides recommendations for practices for data protection policies to adhere to. The main guidelines EPIC-Africa adheres to include:

• Fairness and inclusiveness: Ensure the data protection policy is inclusive and equitable, offering opportunities and benefits to all Africans, and in so doing, seek to redress national and global inequalities by being responsive to the voices of those marginalized by technological developments. 
• Trust, safety and accountability: Promote trustworthy data environments that are safe and secure, accountable to data subjects, and ethical and secure by design. 
• Sovereignty: Institutions and International organizations shall cooperate to create capacity to enable African countries to self-manage their data, take advantage of data flows and govern data appropriately. 
• Integrity and justice: Ensure data collection, processing and usage are just and lawful, and data will not be used to discriminate unfairly or infringe peoples’ rights. 

SECURITY

HAS will take all steps necessary to ensure that data stored on the platform is treated securely and in accordance with this Data Protection Policy. Below are security procedures that EPIC-Africa will apply to protect stored data:- 

• Access to data is protected by strong passwords that are changed regularly and never shared with unauthorized parties.
• All data is backed up at least once per month. Those back-ups are tested regularly, in line with standard backup procedures.
• Servers containing data are protected by approved security software and a firewall to prevent unauthorized and malicious hacking activity of stored data.
• Website communication between the platform and users is protected through end-to-end encryption using the HTTPS protocol.
• Operating systems and software used in the platform are constantly upgraded.
• Connection to the server hosting the data is made securely via SSH (Secure Shell Protocol) and using authentication.

• The platform is monitored through intrusion prevention software to monitor login attempts to protect the server against brute force attacks.
• HAS constantly audits files and services that are running on the server, its protocols and communication ports to make sure there are no flaws that could lead to vulnerabilities.

DATA RETENTION

Information collected from the website visitors and users will be retained as long as needed for a specific purpose. Personal Identifier Information (PII) that is collected or processed will be only for as long as it is required to achieve the purpose for which it was collected.

When PII is no longer necessary for these purposes, it will be deleted. When this is done, the data will no longer be viewable or accessible. 

HAS CONTACT INFORMATION

If an individual or entity has a request, a question or wishes to make a complaint about the way HAS has handled their information, they may do so by contacting the HAS Management in writing at info@hattrickadvisoryservices.com